Here’s a set of basic iptables rules to protect a virtual PBX host from SIP REGISTER and SSH attacks.
UPD 20141218: now filtering all SIP packets, and in ipv6 as well
apt-get install -y iptables-persistent ##### IPv4 rules ##### iptables -N dos-filter-sip-external iptables -A INPUT -p udp -m udp --dport 5060 \ -j dos-filter-sip-external iptables -A INPUT -p tcp -m tcp --dport 5060 \ -j dos-filter-sip-external iptables -A INPUT -p udp -m udp --dport 5080 \ -j dos-filter-sip-external iptables -A dos-filter-sip-external \ -m hashlimit --hashlimit 5/sec \ --hashlimit-burst 30 --hashlimit-mode srcip \ --hashlimit-name SIPMSG --hashlimit-htable-size 24593 \ --hashlimit-htable-expire 90000 -j RETURN iptables -A dos-filter-sip-external -j \ REJECT --reject-with icmp-admin-prohibited iptables -N dos-filter-ssh iptables -I INPUT -p tcp -m tcp --dport 22 \ --tcp-flags FIN,SYN,RST,ACK SYN -j dos-filter-ssh iptables -A dos-filter-ssh -m hashlimit --hashlimit 3/min \ --hashlimit-burst 10 --hashlimit-mode srcip,dstip \ --hashlimit-name ssh_hash --hashlimit-htable-expire 60000 \ -j ACCEPT iptables -A dos-filter-ssh -j DROP iptables-save > /etc/iptables/rules.v4 ##### IPv6 rules ##### ip6tables -N dos-filter-sip-external ip6tables -A INPUT -p udp -m udp --dport 5060 \ -j dos-filter-sip-external ip6tables -A INPUT -p tcp -m tcp --dport 5060 \ -j dos-filter-sip-external ip6tables -A INPUT -p udp -m udp --dport 5080 \ -j dos-filter-sip-external ip6tables -A dos-filter-sip-external \ -m hashlimit --hashlimit 5/sec \ --hashlimit-burst 30 --hashlimit-mode srcip \ --hashlimit-name SIPMSG --hashlimit-htable-size 24593 \ --hashlimit-htable-expire 90000 -j RETURN ip6tables -A dos-filter-sip-external -j \ REJECT --reject-with icmp6-adm-prohibited ip6tables -N dos-filter-ssh ip6tables -I INPUT -p tcp -m tcp --dport 22 \ --tcp-flags FIN,SYN,RST,ACK SYN -j dos-filter-ssh ip6tables -A dos-filter-ssh -m hashlimit --hashlimit 3/min \ --hashlimit-burst 10 --hashlimit-mode srcip,dstip \ --hashlimit-name ssh_hash --hashlimit-htable-expire 60000 \ -j ACCEPT ip6tables -A dos-filter-ssh -j DROP ip6tables-save > /etc/iptables/rules.v6
Advertisements
#1 by Fred on April 24, 2014 - 5:20 pm
“…-m udp…” is not valid. You will not get an error but IPTABLES will just ignore that part.
#2 by txlab on April 28, 2014 - 7:21 am
I checked the manpage, and it is indeed a valid option. You can see extra parameters if you enter “iptables -m udp -h”
#3 by Fred on April 24, 2014 - 9:47 pm
I haven’t tried the rest. I think if you just remove that it’s ok.
#4 by unicsolution on March 13, 2015 - 5:37 am
This will monitor all SIP request and not just registration correct?
#5 by txlab on March 13, 2015 - 7:26 am
yes. Initial version filtered REGISTER messages only, and now it applies to all SIP messages.
#6 by Ed Sweazy on April 2, 2016 - 3:40 pm
Thank you so much for this How-To , my pbx sip server was being hammered by a sipvicious attack! I try to block with source ip within Linux firewall but every 5 minutes was hit with a new ip address. I installed iptables-persistent with the iptables rules provided and was able to stop the attack dead in its tracks!!!
YOU GUYS ARE AWESOME, THANKS A MILLION!!!